Traditional Security Checklist
Rules, Groups, and Values defined within the XCCDF Benchmark
-
IA-02.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
<VulnDiscussion>Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A conti...Rule Medium Severity -
IA-02.03.01
<GroupDescription></GroupDescription>Group -
Information Assurance - COOP Plan or Testing (Incomplete)
<VulnDiscussion>Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A conti...Rule Low Severity -
IA-03.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
<VulnDiscussion>Failure to recognize, investigate and report information systems security incidents could result in the loss of confidentiali...Rule Medium Severity -
IA-05.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
<VulnDiscussion>If accurate records of authorized users are not maintained, then unauthorized personnel could have access to the system. Fail...Rule Medium Severity -
IA-06.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - System Training and Certification/ IA Personnel
<VulnDiscussion>Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFE...Rule Medium Severity -
IA-06.02.02
<GroupDescription></GroupDescription>Group -
Information Assurance/Cybersecurity Training for System Users
<VulnDiscussion>Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFE...Rule Medium Severity -
IA-07.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - Accreditation Documentation
<VulnDiscussion>Failure to provide the proper documentation can lead to a system connecting without all proper safeguards in place, creating ...Rule Medium Severity -
IA-10.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
<VulnDiscussion>Failure to use tested and approved switch boxes can result in the loss or compromise of classified information. REFERENCES: ...Rule Medium Severity -
IA-10.02.02
<GroupDescription></GroupDescription>Group -
Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
<VulnDiscussion>The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore...Rule Medium Severity -
IA-10.02.03
<GroupDescription></GroupDescription>Group -
Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
<VulnDiscussion>Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless...Rule Medium Severity -
IA-10.03.01
<GroupDescription></GroupDescription>Group -
Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
<VulnDiscussion>Failure to request approval for connection of existing or additional KVM or A/B devices (switch boxes) for use in switching b...Rule Low Severity -
IA-11.01.01
<GroupDescription></GroupDescription>Group -
Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
<VulnDiscussion>Allowing wireless devices in the vicinity of classified processing or discussion could directly result in the loss or comprom...Rule Medium Severity -
IA-11.03.01
<GroupDescription></GroupDescription>Group -
Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
<VulnDiscussion>Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devi...Rule Low Severity -
IA-12.01.01
<GroupDescription></GroupDescription>Group -
Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
<VulnDiscussion>SIPRNet or other classified network connections that are not properly protected in their physical environment are highly vuln...Rule High Severity -
IA-12.01.02
<GroupDescription></GroupDescription>Group -
Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
<VulnDiscussion>Following is a summary of the primary requirement to use the IEEE 802.1X authentication protocol to secure SIPRNet ports (AKA...Rule High Severity -
IA-12.02.01
<GroupDescription></GroupDescription>Group -
Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
<VulnDiscussion>Unclassified (NIPRNet) network connections that are not properly protected in their physical environment are highly vulnerabl...Rule Medium Severity -
ID-01.02.01
<GroupDescription></GroupDescription>Group -
Industrial Security - DD Form 254
<VulnDiscussion>Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT...Rule Medium Severity -
ID-02.03.01
<GroupDescription></GroupDescription>Group -
Industrial Security - Contractor Visit Authorization Letters (VALs)
<VulnDiscussion>Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials...Rule Low Severity -
ID-03.02.01
<GroupDescription></GroupDescription>Group -
Industrial Security - Contract Guard Vetting
<VulnDiscussion>Failure to screen guards could result in employment of unsuitable personnel who are responsible for the safety and security o...Rule Medium Severity -
IS-01.02.01
<GroupDescription></GroupDescription>Group -
Information Security (INFOSEC) - Safe/Vault/Secure Room Management
<VulnDiscussion>Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromis...Rule Medium Severity -
IS-02.01.01
<GroupDescription></GroupDescription>Group -
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
<VulnDiscussion>Failure to meet Physical Security storage standards could result in the undetected loss or compromise of classified material....Rule High Severity -
IS-02.01.02
<GroupDescription></GroupDescription>Group -
Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
<VulnDiscussion>Failure to meet construction standards could result in the undetected loss or compromise of classified material. REFERENCES:...Rule High Severity -
IS-02.01.03
<GroupDescription></GroupDescription>Group -
Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
<VulnDiscussion>Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room...Rule High Severity -
IS-02.01.04
<GroupDescription></GroupDescription>Group -
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
<VulnDiscussion>Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or se...Rule High Severity -
IS-02.01.05
<GroupDescription></GroupDescription>Group -
Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
<VulnDiscussion>Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.